Bug#1138487: xmltooling: FTBFS with openssl 4.0
Ravi Kant Sharma
ravi.kant.sharma at canonical.com
Wed Jul 1 15:45:28 BST 2026
Package: xmltooling
Followup-For: Bug #1138487
X-Debbugs-Cc: ravi.kant.sharma at canonical.com
Control: tags -1 patch ftbfs
Dear Maintainer,
The patch fixes the issue. xml-security-c should be fixed first as a build depends. https://bugs.debian.org/.internal/challenge.html?original=%2f1138461
-- System Information:
Debian Release: trixie/sid
APT prefers noble-updates
APT policy: (500, 'noble-updates'), (500, 'noble-security'), (500, 'noble'), (100, 'noble-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 6.8.0-117-generic (SMP w/12 CPU threads; PREEMPT)
Kernel taint flags: TAINT_WARN
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
-------------- next part --------------
Description: Fix OpenSSL 4.0 compatibility
Use const for X509 accessor return values, replace removed
ASN1_STRING_data() with ASN1_STRING_get0_data(), and use const for
X509_NAME_ENTRY_get_data() return values.
Author: Ravi Kant Sharma <ravi.kant.sharma at canonical.com>
Forwarded: https://codeberg.org/raviksharma/cpp-xmltooling/pulls/1
Bug-Ubuntu: https://bugs.launchpad.net/bugs/2155031
Bug-Debian: https://bugs.debian.org/1138487
Last-Update: 2026-07-01
Index: xmltooling/xmltooling/security/impl/AbstractPKIXTrustEngine.cpp
===================================================================
--- xmltooling.orig/xmltooling/security/impl/AbstractPKIXTrustEngine.cpp 2026-07-01 10:45:06.169617005 +0200
+++ xmltooling/xmltooling/security/impl/AbstractPKIXTrustEngine.cpp 2026-07-01 10:45:06.160617844 +0200
@@ -216,7 +216,7 @@
}
}
- X509_NAME* subject=X509_get_subject_name(certEE);
+ const X509_NAME* subject=X509_get_subject_name(certEE);
if (subject) {
// One way is a direct match to the subject DN.
// Seems that the way to do the compare is to write the X509_NAME into a BIO.
@@ -264,7 +264,7 @@
for (int an=0; an<numalts; an++) {
const GENERAL_NAME* check = sk_GENERAL_NAME_value(altnames, an);
if (check->type==GEN_DNS || check->type==GEN_URI) {
- const char* altptr = (char*)ASN1_STRING_data(check->d.ia5);
+ const char* altptr = (const char*)ASN1_STRING_get0_data(check->d.ia5);
const int altlen = ASN1_STRING_length(check->d.ia5);
for (set<string>::const_iterator n=trustednames.begin(); n!=trustednames.end(); n++) {
#ifdef HAVE_STRCASECMP
@@ -291,7 +291,7 @@
while ((j=X509_NAME_get_index_by_NID(subject, NID_commonName, i)) >= 0)
i = j;
if (i >= 0) {
- ASN1_STRING* tmp = X509_NAME_ENTRY_get_data(X509_NAME_get_entry(subject, i));
+ const ASN1_STRING* tmp = X509_NAME_ENTRY_get_data(X509_NAME_get_entry(subject, i));
// Copied in from libcurl.
/* In OpenSSL 0.9.7d and earlier, ASN1_STRING_to_UTF8 fails if the input
is already UTF-8 encoded. We check for this case and copy the raw
@@ -300,7 +300,7 @@
j = ASN1_STRING_length(tmp);
if(j >= 0) {
peer_CN = (char*)OPENSSL_malloc(j + 1);
- memcpy(peer_CN, ASN1_STRING_data(tmp), j);
+ memcpy(peer_CN, ASN1_STRING_get0_data(tmp), j);
peer_CN[j] = '\0';
}
}
Index: xmltooling/xmltooling/security/impl/BasicX509Credential.cpp
===================================================================
--- xmltooling.orig/xmltooling/security/impl/BasicX509Credential.cpp 2026-07-01 10:45:06.169617005 +0200
+++ xmltooling/xmltooling/security/impl/BasicX509Credential.cpp 2026-07-01 10:45:06.161617751 +0200
@@ -380,7 +380,7 @@
if (!cert)
return;
- X509_NAME* issuer=X509_get_issuer_name(cert);
+ const X509_NAME* issuer=X509_get_issuer_name(cert);
if (issuer) {
BIO* b = BIO_new(BIO_s_mem());
X509_NAME_print_ex(b,issuer,0,XN_FLAG_RFC2253);
@@ -403,7 +403,7 @@
BN_free(serialBN);
}
- X509_NAME* subject=X509_get_subject_name(cert);
+ const X509_NAME* subject=X509_get_subject_name(cert);
if (subject) {
BIO* b = BIO_new(BIO_s_mem());
X509_NAME_print_ex(b,subject,0,XN_FLAG_RFC2253);
@@ -421,7 +421,7 @@
while ((j=X509_NAME_get_index_by_NID(subject, NID_commonName, i)) >= 0)
i = j;
if (i >= 0) {
- ASN1_STRING* tmp = X509_NAME_ENTRY_get_data(X509_NAME_get_entry(subject, i));
+ const ASN1_STRING* tmp = X509_NAME_ENTRY_get_data(X509_NAME_get_entry(subject, i));
// Copied in from libcurl.
/* In OpenSSL 0.9.7d and earlier, ASN1_STRING_to_UTF8 fails if the input
is already UTF-8 encoded. We check for this case and copy the raw
@@ -430,7 +430,7 @@
j = ASN1_STRING_length(tmp);
if(j >= 0) {
peer_CN = (char*)OPENSSL_malloc(j + 1);
- memcpy(peer_CN, ASN1_STRING_data(tmp), j);
+ memcpy(peer_CN, ASN1_STRING_get0_data(tmp), j);
peer_CN[j] = '\0';
}
}
@@ -450,7 +450,7 @@
for (int an=0; an<numalts; an++) {
const GENERAL_NAME* check = sk_GENERAL_NAME_value(altnames, an);
if (check->type==GEN_DNS || check->type==GEN_URI) {
- const char* altptr = (char*)ASN1_STRING_data(check->d.ia5);
+ const char* altptr = (const char*)ASN1_STRING_get0_data(check->d.ia5);
const int altlen = ASN1_STRING_length(check->d.ia5);
if (altlen > 0)
m_keyNames.insert(string(altptr, altlen));
Index: xmltooling/xmltooling/security/impl/PKIXPathValidator.cpp
===================================================================
--- xmltooling.orig/xmltooling/security/impl/PKIXPathValidator.cpp 2026-07-01 10:45:06.169617005 +0200
+++ xmltooling/xmltooling/security/impl/PKIXPathValidator.cpp 2026-07-01 10:46:54.287136051 +0200
@@ -64,7 +64,7 @@
return ok;
}
- static string XMLTOOL_DLLLOCAL X509_NAME_to_string(X509_NAME* n)
+ static string XMLTOOL_DLLLOCAL X509_NAME_to_string(const X509_NAME* n)
{
string s;
BIO* b = BIO_new(BIO_s_mem());
@@ -89,7 +89,7 @@
// of seconds is zero").
// As long as OpenSSL doesn't provide any API to convert ASN1_TIME values
// time_t, we therefore have to parse it ourselves, unfortunately.
- if (sscanf((const char*)a->data, "%2d%2d%2d%2d%2d%2dZ",
+ if (sscanf((const char*)ASN1_STRING_get0_data(a), "%2d%2d%2d%2d%2d%2dZ",
&t.tm_year, &t.tm_mon, &t.tm_mday,
&t.tm_hour, &t.tm_min, &t.tm_sec) == 6) {
if (t.tm_year <= 50) {
@@ -379,7 +379,7 @@
GENERAL_NAME* gen = sk_GENERAL_NAME_value(dp->distpoint->name.fullname, iii);
// Only consider URIs, and stop after the first one we find.
if (gen->type == GEN_URI) {
- const char* cdpuri = (const char*)gen->d.ia5->data;
+ const char* cdpuri = (const char*)ASN1_STRING_get0_data(gen->d.ia5);
scoped_ptr<XSECCryptoX509CRL> crl(getRemoteCRLs(cdpuri));
if (crl.get() && crl->getProviderName()==DSIGConstants::s_unicodeStrPROVOpenSSL &&
(isFreshCRL(crl.get()) || (ii == sk_DIST_POINT_num(dps)-1 && iii == sk_GENERAL_NAME_num(dp->distpoint->name.fullname)-1))) {
More information about the Pkg-shibboleth-devel
mailing list